🇰🇪 Kenya

Informations

Extracts :

Extract :

"The Bill does not address this matter."

2021

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - PAK

Extracts :

Extract :

No mention of the subject rignt related to Persons within their jurisdiction

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

No mention of the subject rignt related to Legal entities

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"The PDPA does not explicitly require data processors to report data breaches."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - MYS

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

"Sections 61 and 63 provide that the Data Protection Commissioner has the power to issue fines."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"penalty that may be imposed by the Data Commissioner in a penalty notice is up to 5,000,000 shillings [approx. €38,000], or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

"Section 56: A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act. Section 65: A person who suffers damage by reason of a contravention of a requirement of this Act is entitled to compensation for that damage from the data controller or the data processor. Section 58 of the Draft General Regulations: A person aggrieved by any decision under the Regulation or noncompliance with any with any provision may lodge a complaint with the Data Commissioner in accordance with the Act and the Regulations made thereunder."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 58(3): Any person who, without reasonable excuse, fails to comply with an enforcement notice commits an offence and is liable on conviction to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"Although the Act is less detailed, it contains broadly similar provisions to the GDPR in relation to DPIAs. This includes potential prior consultation and obligations to conduct DPIAs when processing is likely to result in high risks to data subjects."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

There is no comment by DataGuidance.

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 43: (1) Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller shall - [...] (b) subject to subsection (3), communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 43(1): Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller shall (a) notify the Data Commissioner without delay, within seventy-two hours of becoming aware of such breach. .... "

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 43(3): Where a data processor becomes aware of a personal data breach, the data processor shall notify the data controller without delay and where reasonably practicable, within forty-eight hours of becoming aware of such breach."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

"Similar to the provisions of the GDPR, a data subject has the right to object to the processing of all or part of their personal data. However, the legitimate interest for the processing which overrides the data subject's rights may be applicable in limiting this right."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"Similar to the GDPR, a data subject has the right to receive their data in a structured, commonly used, machine-readable format, to transmit this ported data to another data controller or processor, or to request the transfer to another data controller or processor where possible. The right to portability is limited to the extent that processing may be necessary for the performance of a public interest task, the exercise of official authority, or portability may adversely affect the rights and freedoms of others."

2022

Reference :

Kenya Data protection overview | DataGuidance

Updated DataGuidance reports

Extracts :

Extract :

"8.7. Right not to be subject to automated decision-making A data subject has the right to not be subject to automated decision-making including profiling, which may produce legal effects on or may significantly affect the data subject."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.1. Right to be informed The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.1. Right to be informed The Act simply provides that a data subject has the right to be informed of the use to which their personal data is to be subject.data controller or processor has the obligation to notify the data subject: of their rights; that personal data is being collected;"

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.2. Right to access The data subject has the right to access their data that is in the custody of the data controller or data processor, similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.3. Right to rectification The Act provides for the data subject's right to the correction of false or misleading data, to deletion of false or misleading data, and to updating their data, similar to the GDPR. The data controller or processor has an obligation to provide means for the data subject to make requests for rectification."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.4. Right to erasure Just like in the GDPR, the right to erasure is not absolute and applies under specific circumstances which under the Act are: where the data is inaccurate, outdated, incomplete, or misleading; where the data controller or processor is no longer authorised to retain the data; or the data is irrelevant, excessive, or has been obtained unlawfully."

2022

Reference :

Kenya Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2022

Reference :

International Data transfer Agreements | DataGuidance

Comparison of international data transfer agreements

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

International Data transfer Agreements | DataGuidance

Comparison of international data transfer agreements

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

"Section 31(3): The data controller or data processor shall consult the Data Commissioner prior to the processing if a data protection impact assessment prepared under this section indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject. [...] (5) The data impact assessment reports shall be submitted sixty days prior to the processing of data. (6) The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section. Section 52 of the Draft General Regulations: (1) In conducting a data protection impact assessment, a data controller or a data processor may consult the Office for advice on whether risks identified and mitigation measures suggested are viable in the outlined circumstances"

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"The concepts of DPOs, their tasks, and the associated provisions regulating the appointment of DPOs are very similar between the GDPR and the Act. "

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"The concepts of DPOs, their tasks, and the associated provisions regulating the appointment of DPOs are very similar between the GDPR and the Act."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 24(7): A data protection officer shall (a) advise the data controller or data processor and their employees on data processing requirements provided under this Act or any other written law; (b) ensure on behalf of the data controller or data processor that this Act is complied with; (c) facilitate capacity building of staff involved in data processing operations; (d) provide advice on data protection impact assessment; and (e) co-operate with the Data Commissioner and any other authority on matters relating to data protection. Section 24(2): A data protection officer may be a staff member of the data controller or data processor and may fulfil other tasks and duties provided that any such tasks and duties do not result in the conflict of interest"

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

"Section 24: (3) A group of entities may appoint a single data protection officer provided that such officer is accessible by each entity."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

"Section 43: (6) The communication of a breach to the data subject shall not be required where the data controller or data processor has implemented appropriate security safeguards which may include encryption of affected personal data. (7) Where and to the extent that it is not possible to provide all the information mentioned in subsection (5) at the same time, the information may be provided in phases without undue delay."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"The Act does not explicitly provide for equivalent record keeping obligations."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KEN

Extracts :

Extract :

Actors
Name	Short name	Classification	Jurisdiction	Year of creation
Office of the Data Protection Commissioner (ODPC)	ODPC	Regulator	Independant agency	2019

Texts
Legal text name	Original text name	Legislation type	Year signed	Regulation status	In effect since	Latest update initiated	Latest update areas	Latest update signed year

🇰🇪 Kenya

Data subject classification

Citizens outside their jurisdiction are considered as data subjects : No

Persons within their jurisdiction are considered as data subjects :

Legal entities are considered as data subjects :

Data controller definition and responsibilities

Organizations located outside the jurisdiction processing regulated subjects data are considered as data controllers within the personal data legislation : Yes

Organizations located outside the jurisdiction monitoring regulated subjects data are considered as data controllers within the personal data legislation :

Differentiation between how data controller and data processor are defined :

Special/sensitive personal data definition

Definition of personal data that are "special" or "sensitive": biometric data :

Definition of personal data that are "special" or "sensitive": genetic data :

Definition of personal data that are "special" or "sensitive": financial data :

Definition of personal data that are "special" or "sensitive": criminal records data :

Definition of personal data that are "special" or "sensitive": medical/health data :

Definition of personal data that are "special" or "sensitive": racial/ethnic origin :

Definition of personal data that are "special" or "sensitive": political opinions :

Definition of personal data that are "special" or "sensitive": religious/philosophical beliefs :

Definition of personal data that are "special" or "sensitive": trade union membership :

Definition of personal data that are "special" or "sensitive": geo-location data :

Legal bases for data processing

Potential legal bases for processing personal data: appropriate notice has been provided to or made available to the data subject :

Potential legal bases for processing personal data: the data subject has provided consent to the processing for the identified purposes :

Potential legal bases for processing personal data: the personal data is necessary to perform a contract with the data subject :

Potential legal bases for processing personal data: the personal data is necessary to comply with a legal obligation :

Potential legal bases for processing personal data: the personal data is necessary to protect the vital interests of a natural person :

Potential legal bases for processing personal data: the personal data is necessary for a public interest :

Potential legal bases for processing personal data: the personal data is necessary to fulfil a legitimate interest of the controller or third party :

Enforcement and penalties

Provision of administrative penalties by laws : Yes

Max value of monetary penalties for violations (in euros) : 377500

Consideration of turnover rates for penalties? : Yes

Provision of criminal penalties - fines : Yes

Subject private remedies - presence of individual personal actions? :

Subject private remedies - representative actions? :

Subject private remedies - class actions? :

Subject private remedies - file complaints with Data Protection Authorities? : Yes

Provision of criminal penalties - imprisonment : Yes

Data processing and security controls

Audit or supervise Data Processors :

Requirement of a DPIA : Yes

Ensuring encryption/pseudonymisation as a security control :

Requirement for Controller to notify subjects of a data breach : Yes

Requirement for Controller to notify DPA of a data breach : Yes

Requirement for Processor to notify controller of data breach : Yes

Requirement for Processor to notify DPA of data breach :

Requirement for Processor to notify subjects of data breach :

Obligation to maintain information security control to protect personal data from unauthorized access or processing: general technical/physical/organizational security controls :

Rights of data subjects

Right to object data use or/opt out : Yes

Right to data portability : Yes

Right against automated decision making : Yes

Right to be informed : Yes

Consent required for processing children's data :

Right to access information : Yes

Right to rectification : Yes

Right to erase : Yes

Right to withdraw consent :

Right to restrict data processing :

International data transfer and data localization

Legal basis for international data transfer: approved jurisdictions :

Legal basis for international data transfer: approved standard contractual clauses :

Legal basis for international data transfer: derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims :

Legal basis for international data transfer: binding corporate rules :

Data localisation requirements: retention of personal data in local jurisdiction :

Data localisation requirements: tax or financial record laws :

Legal basis for international data transfer: EU/EEA adequacy : No

Legal basis for international data transfer: Convention 108 : No

Data localisation requirements: national security laws :

Legal basis for international data transfer: APEC CBPRs : No

Data localisation requirements (such data is part of another type of record or dataset): retention or storage of personal data in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction :

Data localisation requirements: anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation :

Data localisation requirements: other data localization regulations (export control laws/medical laws/employment laws etc.) :

Data protection officer (DPO) requirements

Consulting the supervisory authority (DPA) before data processing : Yes

Mandatory appointment of a DPO : Yes

Requirement of professional/legal qualification/expert knowledge for DPO : Yes

Clear DPO role specification : Yes

Group appointments: a group of undertakings to appoint a single DPO : Yes

Privacy notice requirements